OCI Level 100 - Identify and Access Management (demo starts at 29:00)
Figure 1. Oracle Cloud Infrastructure Architecture |
Key Concepts/Components
IAM uses/implements below key concepts/components:
- Resource
- Includes compute instances, block storage volumes, virtual cloud networks (VCNs), subnets, and route tables
- Each OCI resource has a unique Oracle Cloud ID (OCID)
- A resource can't be reassigned to a different compartment after creation (exception: Buckets)
- Tenancy
- Is equivalent of an account
- Oracle automatically creates your company's tenancy for you
- Provisioned with a single, top-level compartment called the root compartment
- Root compartment contains all of your organization's OCI resources.
- Compartment
- Logical container used for organizing and isolating cloud resources
- Each resource is in exactly one compartment[3]
- But, resources can be connected/shared across compartments
- Can be deleted or renamed after creation
- Can have sub compartments nested up to 6 levels deep
- Sub compartments inherit access permissions from compartments higher up its hierarchy
- Holds a collection of related resources
- Root compartment
- Directly within the tenancy are IAM resources like:
- users, groups, compartments, and some policies
- Other compartments created by you
- Within your created compartments inside the tenancy are other types of cloud resources:
- instances, virtual networks, and block storage volumes
- Principal
- Is an IAM entity that is allowed to interact with OCI resources
- Includes IAM users and instance principals
- Instance principals let instances (and applications) to make API calls against other OCI services removing the need to configure user credentials or configuration files
- User
- An individual that needs to manage or use OCI resources
- Might need to launch instances, manage remote disks, work with virtual cloud network, etc.
- Users can be created and given console passwords to use the web console and/or API signing keys to use the REST API and SDKs
- Can have one or more IAM credentials
- User must be placed in groups to be given access to cloud resources
- A new user has no permissions until you place the user in one of more groups and there's at least one policy that gives that group permission to either the tenancy or a compartment
- Group
- A collection of users who all need the same type of access to a particular set of resources or compartment
- Users can be members of multiple groups
- Used to grant privileges to cloud resources
- A group has no permissions until you write at least one policy that gives that group permission to either the tenancy or a compartment
- Policy
- A document that specifies who can access which resources, and how.
- Access is granted at the group level and compartment level
- You can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself.
- If you give a group access to the tenancy, the group automatically gets the same type of access to all the compartments inside the tenancy.
- Some policies are directly within the tenancy and some are within your created compartments inside the tenancy
- Home Region
- The region where your IAM resources reside.
- IAM resources (compartments, users, groups, and policies) are global. So, you can access them across all regions.
- However, the master set of definitions resides in a single region, the home region.
- You make changes to your IAM resources in your home region, and the changes are automatically propagated to all regions.
Figure 2. OCI Compartments (Tenancy: Root Compartment) |
Policies
OCI authorization specifies various actions an authenticated Principal can perform. You can define specific privileges (in policies) to be associated with authenticated principals using groups. Lets recap the default behaviors of IAM service:
IAM service enables you to enforce the security principle of least privilege by default. New users are not allowed to perform any actions on any resources until they are granted with appropriate permissions using policies.
Policies are comprised of one or more statements which specify what groups can access what resources and what level of access users in that group have . They are written in human-readable format:
Allow group <group_name> to <verb> <resource-type> in tenancy <tenancy_name>
Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>]
Example:
Allow group NetworkAdmins to manage virtual-network-family in tenancy
Allow group ProjectA_Admins to manage all-resources in compartment ProjectA_compartment
Allow group ObjectWriters to manage objects in compartment demo where any {reqeuest.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'}
Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>]
Example:
Allow group NetworkAdmins to manage virtual-network-family in tenancy
Allow group ProjectA_Admins to manage all-resources in compartment ProjectA_compartment
Allow group ObjectWriters to manage objects in compartment demo where any {reqeuest.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'}
ALLOW GROUP AnalyticsAdmin TO READ compartments IN TENANCY
ALLOW GROUP AnalyticsAdmin TO READ virtual-network-family IN TENANCY
For more information, see Example Scenario and How Policies Work.
Figure 3. Permissions granted using Policy statements |
Resource Locations
Below we have summarized where OCI resources are located and from where you can access them:
Service | Resource | Location | Notes |
IAM | Users,Groups, Polices, Compartments, API Signing Keys | Global | |
Compute | Images | Region | |
Instances | AD | Instances can be attached only to volumes in the same AD | |
Volumes | AD | ||
Volume backup | Region | Backups can be restored as new volumes to any AD within the same group | |
Database | DB Systems | AD | |
Network | Virtual Cloud Network (VCN) | Region | |
Subnet | AD | ||
Security Lists Route Table | Region | ||
Dynamic Routing Gateway (DRB) | Region | ||
Customer Premises Equiptment (CPE), Internet Gateway | Region | ||
Load Balancer | Load Balancer |
Region
|
|
Object Storage | Buckets |
Region
|
Bucket is a regional resource but it can be accessed from any location as long as correct region-specific URL is used. |
Sorted by scope, here is another summary:
- Global
- IAM
- Key Vaults, Keys
- DNS
- Availability Domain
- Subnet
- Compute instances
- Block Volume
- DB Systems
- File System (& Mount Target)
- Ephemeral Public IPs
- Regional
- Everything else (e..g, VCN, Object Storage)
No comments:
Post a Comment